Patchwatcher security improvements

[Ambroz Bizjak]

> Interesting.    One of my goals is to support Solaris and BSD;
> have you tried your stuff there?
Not yet, but that stuff is pretty generic, so it shouldn't be hard to get
it to work.

> I'm surprised you had to give up on the chroot...
> I was planning on trying to run just wine-slave.sh in
> a chroot jail, since it's the only part that would
> actually try to run any part of the wine build system.
Creating the chroot itself is really hard and has to be
done for each platform separately. The basic system and also all
development tools and Wine dependencies have to be copied properly. And
there are the tests with their own bunch of requirements. In the end you
would end up with a chroot that is not much different from the base system
itself.
And it doesn't really bring many security benefits. Many potentially
insecure interfaces have to be exposed anyway (/proc, X server with
OpenGL, sound hardware). If a clean and dedicated system is used and
permissions are properly configured, running stuff on the base system
shouldn't really be a problem. Furthermore, using some advanced access
control system (like SELinux) would probably be easier to configure and
more efficient.